This is an archive of the discontinued LLVM Phabricator instance.

Differential D25326

[StaticAnalyser] Don't merge different returns in ExplodedGraph
ClosedPublic

Authored by danielmarjamaki on Oct 6 2016, 8:06 AM.

Details

Reviewers
dcoughlin
a.sidorin
zaks.anna
NoQ
xazax.hun
Commits
rGd99ebc03f473: [analyzer] Don't merge different return nodes in ExplodedGraph
rC283554: [analyzer] Don't merge different return nodes in ExplodedGraph
rL283554: [analyzer] Don't merge different return nodes in ExplodedGraph
Summary

Returns when calling an inline function should not be merged in the ExplodedGraph unless they are same.

Background post on cfe-dev:
http://lists.llvm.org/pipermail/cfe-dev/2016-October/051001.html

Here is an example patch that solves my false positives and also fixes 2 false negatives in existing tests.

What do you think about this approach?

Diff Detail

Repository
rL LLVM

Event Timeline

danielmarjamaki updated this revision to Diff 73796.Oct 6 2016, 8:06 AM
danielmarjamaki retitled this revision from to [StaticAnalyser] Don't merge different returns in ExplodedGraph.
danielmarjamaki updated this object.
danielmarjamaki set the repository for this revision to rL LLVM.
danielmarjamaki added subscribers: cfe-commits, dcoughlin, NoQ.
zaks.anna added a subscriber: zaks.anna.Oct 6 2016, 11:34 AM

Daniel, please, add reviewers to this patch.

NoQ added a comment.Oct 6 2016, 7:07 PM

Funny facts about the Environment:

(a) Environment allows taking SVals of ReturnStmt, which is not an expression, by transparently converting it into its sub-expression. In fact, it only stores expressions.

Having just noticed (a), i also understand that (a) is not of direct importance to the question, however:

(b) With a similar trick, Environment allows taking SVal of literal expressions, but never stores literal expressions. Instead, it reconstructs the constant value by looking at the literal and returns the freshly constructed value when asked.

This leads to "return 0;" and "return 1;" branches having the same program state. The difference should have been within Environment (return values are different), however return values are literals, and they aren't stored in the Environment, and hence the Environment is equal in both states. If only the function returned, say, 0 and i, the problem wouldn't have been there.

This leaves us with two options:

  1. Tell the Environment to store everything. This would make things heavy. However, i do not completely understand the consequences of this bug at the moment - perhaps there would be more problems due to this state merging unless we start storing everything.
  1. Rely on the ProgramPoint to remember where we are. After all, why do we merge when program points should clearly be different? The program point that fails us is CallExitBegin - we could construct it with ReturnStmt and its block count to discriminate between different returns. It should fix this issue, and is similar to the approach taken in this patch (just puts things to their own place), however, as i mentioned, there might be more problems with misbehavior (b) of the Environment, need to think.

Finally, i'm not quite sure why CallExitBegin is at all necessary. I wonder if we could just remove it and jump straight to Bind Return Value, also need to think.

danielmarjamaki added reviewers: NoQ, zaks.anna, dcoughlin, a.sidorin, xazax.hun.Oct 7 2016, 1:03 AM

adding reviewers.

danielmarjamaki added a comment.Oct 7 2016, 1:16 AM
In D25326#564082, @NoQ wrote:

Funny facts about the Environment:

(a) Environment allows taking SVals of ReturnStmt, which is not an expression, by transparently converting it into its sub-expression. In fact, it only stores expressions.

Having just noticed (a), i also understand that (a) is not of direct importance to the question, however:

(b) With a similar trick, Environment allows taking SVal of literal expressions, but never stores literal expressions. Instead, it reconstructs the constant value by looking at the literal and returns the freshly constructed value when asked.

This leads to "return 0;" and "return 1;" branches having the same program state. The difference should have been within Environment (return values are different), however return values are literals, and they aren't stored in the Environment, and hence the Environment is equal in both states. If only the function returned, say, 0 and i, the problem wouldn't have been there.

I did not know "a" and "b", thanks for info.

This leaves us with two options:

  1. Tell the Environment to store everything. This would make things heavy. However, i do not completely understand the consequences of this bug at the moment - perhaps there would be more problems due to this state merging unless we start storing everything.
  1. Rely on the ProgramPoint to remember where we are. After all, why do we merge when program points should clearly be different? The program point that fails us is CallExitBegin - we could construct it with ReturnStmt and its block count to discriminate between different returns. It should fix this issue, and is similar to the approach taken in this patch (just puts things to their own place), however, as i mentioned, there might be more problems with misbehavior (b) of the Environment, need to think.
  1. yes sounds heavy.
  2. I assume you are right.. however as I understand it the ProgramPoint when CallExitBegin is called is the same (in the exit block). do you suggest that we take the ProgramPoint for the exit block's predecessor?

Finally, i'm not quite sure why CallExitBegin is at all necessary. I wonder if we could just remove it and jump straight to Bind Return Value, also need to think.

me too. however there is much I wonder about when it comes to ExplodedGraph. :-)

NoQ edited edge metadata.Oct 7 2016, 1:29 AM
In D25326#564185, @danielmarjamaki wrote:

as I understand it the ProgramPoint when CallExitBegin is called is the same (in the exit block). do you suggest that we take the ProgramPoint for the exit block's predecessor?

CallExitBegin is the program point. I propose to make different exits from the same function be different program points. This could be achieved by adding more members to the CallExitBegin class - return statement and block count would probably be sufficient.

In fact, not sure if we need block count. If we're, say, returning from a loop with the same statement, then we're either returning different values, or returning the same literal expression, so Environment would do the job for us well in both cases.

danielmarjamaki added a comment.Oct 7 2016, 2:40 AM

ok. As far as I see it's not trivial to know which ReturnStmt there was when CallExitBegin is created. Do you suggest that I move it or that I try to lookup the ReturnStmt? I guess it can be looked up by looking in the predecessors in the ExplodedGraph?

Finally, i'm not quite sure why CallExitBegin is at all necessary. I wonder if we could just remove it and jump straight to Bind Return Value, also need to think.

.. unless that is better apprach

NoQ added a comment.Oct 7 2016, 3:23 AM
In D25326#564239, @danielmarjamaki wrote:

ok. As far as I see it's not trivial to know which ReturnStmt there was when CallExitBegin is created.

We're in HandleBlockEdge, just pass down the statement from CFG here?

In D25326#564239, @danielmarjamaki wrote:

.. unless that is better apprach

It seems to have something to do with separation of duties between CoreEngine and ExprEngine. Kind of, CoreEngine explores the CFG, ExprEngine models effects of statements, and noticing end of function is CoreEngine's duty, while binding the return value is ExprEngine's duty, and CallExitBegin acts like a message from CoreEngine to ExprEngine so that they could work together. That's how it seems to me, but i'm not sure of the original intention here.

danielmarjamaki added a comment.Oct 7 2016, 3:53 AM
In D25326#564283, @NoQ wrote:
In D25326#564239, @danielmarjamaki wrote:

ok. As far as I see it's not trivial to know which ReturnStmt there was when CallExitBegin is created.

We're in HandleBlockEdge, just pass down the statement from CFG here?

I don't directly see how you mean. Code is:

void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) {

  const CFGBlock *Blk = L.getDst();

The Blk->dump() says:

[B0 (EXIT)]
   Preds (2): B1 B2
NoQ added a comment.Oct 7 2016, 3:54 AM
In D25326#564291, @danielmarjamaki wrote:

The Blk->dump() says:

[B0 (EXIT)]
   Preds (2): B1 B2

What about the source block?

danielmarjamaki added a comment.Oct 7 2016, 3:58 AM
In D25326#564291, @danielmarjamaki wrote:
In D25326#564283, @NoQ wrote:
In D25326#564239, @danielmarjamaki wrote:

ok. As far as I see it's not trivial to know which ReturnStmt there was when CallExitBegin is created.

We're in HandleBlockEdge, just pass down the statement from CFG here?

I don't directly see how you mean. Code is:

void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) {

  const CFGBlock *Blk = L.getDst();

The Blk->dump() says:

[B0 (EXIT)]
   Preds (2): B1 B2

Sorry... I think I see. L.getSrc() will give me the cfg block I am interested in.

danielmarjamaki updated this revision to Diff 73926.Oct 7 2016, 6:39 AM
danielmarjamaki edited edge metadata.
danielmarjamaki removed rL LLVM as the repository for this revision.

Refactoring.

NoQ accepted this revision.Oct 7 2016, 7:17 AM
NoQ edited edge metadata.

Yay, this is great. Thanks for investigating all those loss of coverage issues!

lib/StaticAnalyzer/Core/CoreEngine.cpp
610 ↗(On Diff #73926)

Space after ",".

639 ↗(On Diff #73926)

Space after ",".

lib/StaticAnalyzer/Core/ExprEngine.cpp
1792 ↗(On Diff #73926)

Space after ",".

This revision is now accepted and ready to land.Oct 7 2016, 7:17 AM
zaks.anna accepted this revision.Oct 7 2016, 9:23 AM
zaks.anna edited edge metadata.

Please, fix the style issues before committing.

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
266 ↗(On Diff #73926)

Add spaces around '=.'

dcoughlin edited edge metadata.Oct 7 2016, 10:03 AM

Can you also add a test that tests this more directly (i.e., with clang_analyzer_warnIfReached). I don't think it is good to have the only test for this core coverage issue to be in tests for an alpha checker. Adding the direct test would also make it easier to track down any regression if it happens. The 'func.c' test file might be a good place for such a test.

a.sidorin added inline comments.Oct 7 2016, 10:13 AM
test/Analysis/unreachable-code-path.c
201 ↗(On Diff #73926)

I have a small question. Is it possible to simplify this sample with removing of table[] array? Like putting something like i != 0 into condition. As I understand, the problem is not array-related.

NoQ added inline comments.Oct 7 2016, 10:15 AM
test/Analysis/unreachable-code-path.c
201 ↗(On Diff #73926)

Any UnknownVal in the condition would trigger this issue.

seurer added a subscriber: seurer.Oct 7 2016, 10:36 AM
Closed by commit rL283554: [analyzer] Don't merge different return nodes in ExplodedGraph (authored by danielmarjamaki). · Explain WhyOct 7 2016, 10:45 AM
This revision was automatically updated to reflect the committed changes.
danielmarjamaki added inline comments.Oct 10 2016, 12:44 AM
test/Analysis/unreachable-code-path.c
201 ↗(On Diff #73926)

Is it possible to simplify this sample with removing of table[] array?

I tried to simplify as much as possible. But as NoQ says an UnknownVal is required here for this test.

danielmarjamaki added a comment.Oct 10 2016, 12:56 AM
In D25326#564584, @zaks.anna wrote:

Please, fix the style issues before committing.

Sorry I missed that.

Ideally it would be possible to run clang-format on the files before committing. but currently I get lots of unrelated changes then.

Would it be ok to run clang-format on some files to clean up the formatting? At least some minor changes like removing trailing spaces.

NoQ added a comment.Oct 10 2016, 1:01 AM
In D25326#565919, @danielmarjamaki wrote:

Ideally it would be possible to run clang-format on the files before committing. but currently I get lots of unrelated changes then.

Would it be ok to run clang-format on some files to clean up the formatting? At least some minor changes like removing trailing spaces.

clang-format should be able to format small sections of the code, keeping in mind the rest of the file but not touching it. In vim, i use a hotkey for formatting the statement under cursor. I've seen a plugin for Xcode that clang-format's selected text. Also, there's this git clang-format thingy, which should be able to clang-format git changes and only them, i didn't try, but it might be universally useful.

dcoughlin added inline comments.Oct 10 2016, 8:23 AM
test/Analysis/unreachable-code-path.c
201 ↗(On Diff #73926)

This is worth a comment in the test then, so that if we ever add symbolic reasoning we'll know how to adjust the test.

You could also try to add a canary with clang analyzer eval after the if statement to force the test to fail if we do add this symbolic reasoning.

dcoughlin added a comment.Oct 10 2016, 8:30 AM
In D25326#565919, @danielmarjamaki wrote:
In D25326#564584, @zaks.anna wrote:

Please, fix the style issues before committing.

Would it be ok to run clang-format on some files to clean up the formatting? At least some minor changes like removing trailing spaces.

We generally try to avoid large-scale fixes of formatting and spacing issues if they are not on lines already modified by a patch. This makes it a bit easier to track down the original commit for a line and also reduces merge conflicts.

danielmarjamaki added a comment.Oct 13 2016, 4:30 AM

I agree with the comments from you dcoughlin but I am not sure how to do it.

Can you also add a test that tests this more directly (i.e., with clang_analyzer_warnIfReached). I don't think it is good to have the only test for this core coverage issue to be in tests for an alpha checker. Adding the direct test would also make it easier to track down any regression if it happens. The 'func.c' test file might be a good place for such a test.

I totally agree.

In func.c there such comments:
// expected-warning{{FALSE|TRUE|UNKNOWN}}

what does those FALSE|TRUE|UNKNOWN do?

I don't see what this will do:

clang_analyzer_eval(!f);

I want that both returns are reached. and I want to ensure that result from function is both 1 and 0.

You could also try to add a canary with clang analyzer eval after the if statement to force the test to fail if we do add this symbolic reasoning.

sounds good. sorry but I don't see how to do it.

dcoughlin added a comment.Oct 14 2016, 8:42 AM
In D25326#569061, @danielmarjamaki wrote:

You could also try to add a canary with clang analyzer eval after the if statement to force the test to fail if we do add this symbolic reasoning.

sounds good. sorry but I don't see how to do it.

The trick is to not first store the UnknownVal into a local (the analyzer will automatically create a symbol for that when read).

Instead you can do something like:

if (table[i] != 0) { }
clang_analyzer_eval((table[i] != 0)) // expected-warning {{UNKNOWN}}

This way if the analyzer ever starts generating symbols for a read from table[i] then the case split will change the eval to emit TRUE on one path and FALSE on the other.

dcoughlin mentioned this in D25728: Test ExprEngine handling of unknown values.Mar 6 2017, 10:21 AM
NoQ mentioned this in D58392: [analyzer] MIGChecker: Fix false negatives for releases in automatic destructors..Feb 19 2019, 10:47 AM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
Analysis/
4 lines
StaticAnalyzer/
Core/
PathSensitive/
5 lines
3 lines
3 lines
lib/
StaticAnalyzer/
Core/
22 lines
5 lines
test/
Analysis/
inlining/
4 lines
12 lines

Diff 73947

cfe/trunk/include/clang/Analysis/ProgramPoint.h

Show First 20 LinesShow All 616 Lines▼ Show 20 Lines
/// two program points: /// two program points:
/// - CallExitBegin /// - CallExitBegin
/// - Bind the return value /// - Bind the return value
/// - Run Remove dead bindings (to clean up the dead symbols from the callee). /// - Run Remove dead bindings (to clean up the dead symbols from the callee).
/// - CallExitEnd /// - CallExitEnd
class CallExitBegin : public ProgramPoint { class CallExitBegin : public ProgramPoint {
public: public:
// CallExitBegin uses the callee's location context. // CallExitBegin uses the callee's location context.
CallExitBegin(const StackFrameContext *L) CallExitBegin(const StackFrameContext *L, const ReturnStmt *RS)
: ProgramPoint(nullptr, CallExitBeginKind, L, nullptr) {} : ProgramPoint(RS, CallExitBeginKind, L, nullptr) { }
private: private:
friend class ProgramPoint; friend class ProgramPoint;
CallExitBegin() {} CallExitBegin() {}
static bool isKind(const ProgramPoint &Location) { static bool isKind(const ProgramPoint &Location) {
return Location.getKind() == CallExitBeginKind; return Location.getKind() == CallExitBeginKind;
} }
}; };
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h

Show First 20 LinesShow All 103 Lines▼ Show 20 Linesprivate:
/// Handle conditional logic for running static initializers. /// Handle conditional logic for running static initializers.
void HandleStaticInit(const DeclStmt *DS, const CFGBlock *B, void HandleStaticInit(const DeclStmt *DS, const CFGBlock *B,
ExplodedNode *Pred); ExplodedNode *Pred);
private: private:
CoreEngine(const CoreEngine &) = delete; CoreEngine(const CoreEngine &) = delete;
void operator=(const CoreEngine &) = delete; void operator=(const CoreEngine &) = delete;
ExplodedNode *generateCallExitBeginNode(ExplodedNode *N); ExplodedNode *generateCallExitBeginNode(ExplodedNode *N,
const ReturnStmt *RS);
public: public:
/// Construct a CoreEngine object to analyze the provided CFG. /// Construct a CoreEngine object to analyze the provided CFG.
CoreEngine(SubEngine &subengine, FunctionSummariesTy *FS) CoreEngine(SubEngine &subengine, FunctionSummariesTy *FS)
: SubEng(subengine), WList(WorkList::makeDFS()), : SubEng(subengine), WList(WorkList::makeDFS()),
BCounterFactory(G.getAllocator()), FunctionSummaries(FS) {} BCounterFactory(G.getAllocator()), FunctionSummaries(FS) {}
/// getGraph - Returns the exploded graph. /// getGraph - Returns the exploded graph.
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Linespublic:
void enqueue(ExplodedNodeSet &Set); void enqueue(ExplodedNodeSet &Set);
/// \brief Enqueue nodes that were created as a result of processing /// \brief Enqueue nodes that were created as a result of processing
/// a statement onto the work list. /// a statement onto the work list.
void enqueue(ExplodedNodeSet &Set, const CFGBlock *Block, unsigned Idx); void enqueue(ExplodedNodeSet &Set, const CFGBlock *Block, unsigned Idx);
/// \brief enqueue the nodes corresponding to the end of function onto the /// \brief enqueue the nodes corresponding to the end of function onto the
/// end of path / work list. /// end of path / work list.
void enqueueEndOfFunction(ExplodedNodeSet &Set); void enqueueEndOfFunction(ExplodedNodeSet &Set, const ReturnStmt *RS);
/// \brief Enqueue a single node created as a result of statement processing. /// \brief Enqueue a single node created as a result of statement processing.
void enqueueStmtNode(ExplodedNode *N, const CFGBlock *Block, unsigned Idx); void enqueueStmtNode(ExplodedNode *N, const CFGBlock *Block, unsigned Idx);
}; };
// TODO: Turn into a calss. // TODO: Turn into a calss.
struct NodeBuilderContext { struct NodeBuilderContext {
const CoreEngine &Eng; const CoreEngine &Eng;
▲ Show 20 LinesShow All 367 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 256 Lines▼ Show 20 Linespublic:
/// function has begun. Called for both inlined and and top-level functions. /// function has begun. Called for both inlined and and top-level functions.
void processBeginOfFunction(NodeBuilderContext &BC, void processBeginOfFunction(NodeBuilderContext &BC,
ExplodedNode *Pred, ExplodedNodeSet &Dst, ExplodedNode *Pred, ExplodedNodeSet &Dst,
const BlockEdge &L) override; const BlockEdge &L) override;
/// Called by CoreEngine. Used to notify checkers that processing a /// Called by CoreEngine. Used to notify checkers that processing a
/// function has ended. Called for both inlined and and top-level functions. /// function has ended. Called for both inlined and and top-level functions.
void processEndOfFunction(NodeBuilderContext& BC, void processEndOfFunction(NodeBuilderContext& BC,
ExplodedNode *Pred) override; ExplodedNode *Pred,
const ReturnStmt *RS=nullptr) override;
/// Remove dead bindings/symbols before exiting a function. /// Remove dead bindings/symbols before exiting a function.
void removeDeadOnEndOfFunction(NodeBuilderContext& BC, void removeDeadOnEndOfFunction(NodeBuilderContext& BC,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
/// Generate the entry node of the callee. /// Generate the entry node of the callee.
void processCallEnter(NodeBuilderContext& BC, CallEnter CE, void processCallEnter(NodeBuilderContext& BC, CallEnter CE,
▲ Show 20 LinesShow All 384 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h

Show First 20 LinesShow All 103 Lines▼ Show 20 Linespublic:
virtual void processBeginOfFunction(NodeBuilderContext &BC, virtual void processBeginOfFunction(NodeBuilderContext &BC,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst, ExplodedNodeSet &Dst,
const BlockEdge &L) = 0; const BlockEdge &L) = 0;
/// Called by CoreEngine. Used to notify checkers that processing a /// Called by CoreEngine. Used to notify checkers that processing a
/// function has ended. Called for both inlined and and top-level functions. /// function has ended. Called for both inlined and and top-level functions.
virtual void processEndOfFunction(NodeBuilderContext& BC, virtual void processEndOfFunction(NodeBuilderContext& BC,
ExplodedNode *Pred) = 0; ExplodedNode *Pred,
const ReturnStmt *RS = nullptr) = 0;
// Generate the entry node of the callee. // Generate the entry node of the callee.
virtual void processCallEnter(NodeBuilderContext& BC, CallEnter CE, virtual void processCallEnter(NodeBuilderContext& BC, CallEnter CE,
ExplodedNode *Pred) = 0; ExplodedNode *Pred) = 0;
// Generate the first post callsite node. // Generate the first post callsite node.
virtual void processCallExit(ExplodedNode *Pred) = 0; virtual void processCallExit(ExplodedNode *Pred) = 0;
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/CoreEngine.cpp

Show First 20 LinesShow All 303 Lines▼ Show 20 Lines FunctionSummaries->markVisitedBasicBlock(Blk->getBlockID(),
LC->getCFG()->getNumBlockIDs()); LC->getCFG()->getNumBlockIDs());
// Check if we are entering the EXIT block. // Check if we are entering the EXIT block.
if (Blk == &(L.getLocationContext()->getCFG()->getExit())) { if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {
assert (L.getLocationContext()->getCFG()->getExit().size() == 0 assert (L.getLocationContext()->getCFG()->getExit().size() == 0
&& "EXIT block cannot contain Stmts."); && "EXIT block cannot contain Stmts.");
// Get return statement..
const ReturnStmt *RS = nullptr;
if (!L.getSrc()->empty()) {
if (Optional<CFGStmt> LastStmt = L.getSrc()->back().getAs<CFGStmt>()) {
if (RS = dyn_cast<ReturnStmt>(LastStmt->getStmt())) {
if (!RS->getRetValue())
RS = nullptr;
}
}
}
// Process the final state transition. // Process the final state transition.
SubEng.processEndOfFunction(BuilderCtx, Pred); SubEng.processEndOfFunction(BuilderCtx, Pred, RS);
// This path is done. Don't enqueue any more nodes. // This path is done. Don't enqueue any more nodes.
return; return;
} }
// Call into the SubEngine to process entering the CFGBlock. // Call into the SubEngine to process entering the CFGBlock.
ExplodedNodeSet dstNodes; ExplodedNodeSet dstNodes;
BlockEntrance BE(Blk, Pred->getLocationContext()); BlockEntrance BE(Blk, Pred->getLocationContext());
▲ Show 20 LinesShow All 262 Lines▼ Show 20 Linesvoid CoreEngine::enqueueStmtNode(ExplodedNode *N,
bool IsNew; bool IsNew;
ExplodedNode *Succ = G.getNode(Loc, N->getState(), false, &IsNew); ExplodedNode *Succ = G.getNode(Loc, N->getState(), false, &IsNew);
Succ->addPredecessor(N, G); Succ->addPredecessor(N, G);
if (IsNew) if (IsNew)
WList->enqueue(Succ, Block, Idx+1); WList->enqueue(Succ, Block, Idx+1);
} }
ExplodedNode *CoreEngine::generateCallExitBeginNode(ExplodedNode *N) { ExplodedNode *CoreEngine::generateCallExitBeginNode(ExplodedNode *N,
const ReturnStmt *RS) {
// Create a CallExitBegin node and enqueue it. // Create a CallExitBegin node and enqueue it.
const StackFrameContext *LocCtx const StackFrameContext *LocCtx
= cast<StackFrameContext>(N->getLocationContext()); = cast<StackFrameContext>(N->getLocationContext());
// Use the callee location context. // Use the callee location context.
CallExitBegin Loc(LocCtx); CallExitBegin Loc(LocCtx, RS);
bool isNew; bool isNew;
ExplodedNode *Node = G.getNode(Loc, N->getState(), false, &isNew); ExplodedNode *Node = G.getNode(Loc, N->getState(), false, &isNew);
Node->addPredecessor(N, G); Node->addPredecessor(N, G);
return isNew ? Node : nullptr; return isNew ? Node : nullptr;
} }
void CoreEngine::enqueue(ExplodedNodeSet &Set) { void CoreEngine::enqueue(ExplodedNodeSet &Set) {
for (ExplodedNodeSet::iterator I = Set.begin(), for (ExplodedNodeSet::iterator I = Set.begin(),
E = Set.end(); I != E; ++I) { E = Set.end(); I != E; ++I) {
WList->enqueue(*I); WList->enqueue(*I);
} }
} }
void CoreEngine::enqueue(ExplodedNodeSet &Set, void CoreEngine::enqueue(ExplodedNodeSet &Set,
const CFGBlock *Block, unsigned Idx) { const CFGBlock *Block, unsigned Idx) {
for (ExplodedNodeSet::iterator I = Set.begin(), for (ExplodedNodeSet::iterator I = Set.begin(),
E = Set.end(); I != E; ++I) { E = Set.end(); I != E; ++I) {
enqueueStmtNode(*I, Block, Idx); enqueueStmtNode(*I, Block, Idx);
} }
} }
void CoreEngine::enqueueEndOfFunction(ExplodedNodeSet &Set) { void CoreEngine::enqueueEndOfFunction(ExplodedNodeSet &Set, const ReturnStmt *RS) {
for (ExplodedNodeSet::iterator I = Set.begin(), E = Set.end(); I != E; ++I) { for (ExplodedNodeSet::iterator I = Set.begin(), E = Set.end(); I != E; ++I) {
ExplodedNode *N = *I; ExplodedNode *N = *I;
// If we are in an inlined call, generate CallExitBegin node. // If we are in an inlined call, generate CallExitBegin node.
if (N->getLocationContext()->getParent()) { if (N->getLocationContext()->getParent()) {
N = generateCallExitBeginNode(N); N = generateCallExitBeginNode(N, RS);
if (N) if (N)
WList->enqueue(N); WList->enqueue(N);
} else { } else {
// TODO: We should run remove dead bindings here. // TODO: We should run remove dead bindings here.
G.addEndOfPath(N); G.addEndOfPath(N);
NumPathsExplored++; NumPathsExplored++;
} }
} }
▲ Show 20 LinesShow All 111 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 1,760 Lines▼ Show 20 Linesvoid ExprEngine::processBeginOfFunction(NodeBuilderContext &BC,
const BlockEdge &L) { const BlockEdge &L) {
SaveAndRestore<const NodeBuilderContext *> NodeContextRAII(currBldrCtx, &BC); SaveAndRestore<const NodeBuilderContext *> NodeContextRAII(currBldrCtx, &BC);
getCheckerManager().runCheckersForBeginFunction(Dst, L, Pred, *this); getCheckerManager().runCheckersForBeginFunction(Dst, L, Pred, *this);
} }
/// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path /// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path
/// nodes when the control reaches the end of a function. /// nodes when the control reaches the end of a function.
void ExprEngine::processEndOfFunction(NodeBuilderContext& BC, void ExprEngine::processEndOfFunction(NodeBuilderContext& BC,
ExplodedNode *Pred) { ExplodedNode *Pred,
const ReturnStmt *RS) {
// FIXME: Assert that stackFrameDoesNotContainInitializedTemporaries(*Pred)). // FIXME: Assert that stackFrameDoesNotContainInitializedTemporaries(*Pred)).
// We currently cannot enable this assert, as lifetime extended temporaries // We currently cannot enable this assert, as lifetime extended temporaries
// are not modelled correctly. // are not modelled correctly.
PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext()); PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
StateMgr.EndPath(Pred->getState()); StateMgr.EndPath(Pred->getState());
ExplodedNodeSet Dst; ExplodedNodeSet Dst;
if (Pred->getLocationContext()->inTopFrame()) { if (Pred->getLocationContext()->inTopFrame()) {
// Remove dead symbols. // Remove dead symbols.
ExplodedNodeSet AfterRemovedDead; ExplodedNodeSet AfterRemovedDead;
removeDeadOnEndOfFunction(BC, Pred, AfterRemovedDead); removeDeadOnEndOfFunction(BC, Pred, AfterRemovedDead);
// Notify checkers. // Notify checkers.
for (ExplodedNodeSet::iterator I = AfterRemovedDead.begin(), for (ExplodedNodeSet::iterator I = AfterRemovedDead.begin(),
E = AfterRemovedDead.end(); I != E; ++I) { E = AfterRemovedDead.end(); I != E; ++I) {
getCheckerManager().runCheckersForEndFunction(BC, Dst, *I, *this); getCheckerManager().runCheckersForEndFunction(BC, Dst, *I, *this);
} }
} else { } else {
getCheckerManager().runCheckersForEndFunction(BC, Dst, Pred, *this); getCheckerManager().runCheckersForEndFunction(BC, Dst, Pred, *this);
} }
Engine.enqueueEndOfFunction(Dst); Engine.enqueueEndOfFunction(Dst, RS);
} }
/// ProcessSwitch - Called by CoreEngine. Used to generate successor /// ProcessSwitch - Called by CoreEngine. Used to generate successor
/// nodes by processing the 'effects' of a switch statement. /// nodes by processing the 'effects' of a switch statement.
void ExprEngine::processSwitch(SwitchNodeBuilder& builder) { void ExprEngine::processSwitch(SwitchNodeBuilder& builder) {
typedef SwitchNodeBuilder::iterator iterator; typedef SwitchNodeBuilder::iterator iterator;
ProgramStateRef state = builder.getState(); ProgramStateRef state = builder.getState();
const Expr *CondE = builder.getCondition(); const Expr *CondE = builder.getCondition();
▲ Show 20 LinesShow All 998 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/inlining/InlineObjCClassMethod.m

Show First 20 LinesShow All 168 Lines▼ Show 20 Lines else
return 1; return 1;
} }
@end @end
@interface MyClassSelf : MyParentSelf @interface MyClassSelf : MyParentSelf
@end @end
@implementation MyClassSelf @implementation MyClassSelf
+ (int)testClassMethodByKnownVarDecl { + (int)testClassMethodByKnownVarDecl {
int y = [MyParentSelf testSelf]; int y = [MyParentSelf testSelf];
return 5/y; // Should warn here. return 5/y; // expected-warning{{Division by zero}}
} }
@end @end
int foo2() { int foo2() {
int y = [MyParentSelf testSelf]; int y = [MyParentSelf testSelf];
return 5/y; // Should warn here. return 5/y; // expected-warning{{Division by zero}}
} }
// TODO: We do not inline 'getNum' in the following case, where the value of // TODO: We do not inline 'getNum' in the following case, where the value of
// 'self' in call '[self getNum]' is available and evaualtes to // 'self' in call '[self getNum]' is available and evaualtes to
// 'SelfUsedInParentChild' if it's called from fooA. // 'SelfUsedInParentChild' if it's called from fooA.
// Self region should get created before we call foo and yje call to super // Self region should get created before we call foo and yje call to super
// should keep it live. // should keep it live.
@interface SelfUsedInParent : NSObject @interface SelfUsedInParent : NSObject
▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/unreachable-code-path.c

Show First 20 LinesShow All 188 Lines▼ Show 20 Linesvoid test12(int x) {
switch (x) { switch (x) {
case 1: case 1:
break; // not unreachable break; // not unreachable
case 2: case 2:
do { } while (0); do { } while (0);
break; break;
} }
} }
// Don't merge return nodes in ExplodedGraph unless they are same.
extern int table[];
static int inlineFunction(const int i) {
if (table[i] != 0)
return 1;
return 0;
}
void test13(int i) {
int x = inlineFunction(i);
x && x < 10; // no-warning
}